Yesterday a post on the Bitcoin Security forum (Russia) by user tvskit created panic worldwide. The user revealed a 28.7 MB file that contained a list of 5 million GMAIL account passwords.

gmail-btsec

tvskit's post on btcsec.com

To make it easier for people to verify if their GMAIL account has been compromised Egor Buslanov who owns isleaked.com has set up a page that enables people query their address from tvskit's list.

isleaked

Screenshot from isleaked.com

Google in a blog post re-assured GMAIL users that only 2% of the leaked passwords might be working. The post was contributed by Borbala Benko, Elie Bursztein, Tadek Pietraszek and Mark Risher from the Google Spam & Abuse Team. They stressed that the passwords must have been acquired using phishing mechanisms. Therefore it's to be ruled out that any of Google's servers might have been compromised.


I noticed various articles & posts around the Internet that prompted people to change their GMAIL password immediately. Will this remedy the situation? Nope. If a cyber-criminal got your email password using a malware or phishing mechanism then he/she might do it again.

To secure your current GMAIL account it's recommended to enable 2-step verification by Google.

The 2-step verification works by asking an additional code which is sent to your mobile by Google. You may opt for an SMS or phone call verification. Every time you log into any Google Service from a new machine you're prompted to enter a code which Google sends you. Without that code you cannot login even while having the correct password. Therefore this mechanism thwarts email hacking attempts.

google-2-step

Screenshot from Google